DHCPD with CARP (dhcpd only start if CARP status is MASTER)

[jarlskona]

Hello all,

my setup consists of two hosts with CARP and PFSYNC. This works so far. The dhcpd should only start on the host which has the CARP status MASTER. In /etc/devd/dhcpd, i setup a configuration, which is in the sample section man 4 carp. Additional i wrote a little shell script which is triggered after devd notices the state change. This also works.
If i reboot a host, the Backup changes to state MASTER (the shell script starts dhcpd). But on the rebooted host, CARP has still status BACKUP and dhcpd gets startet.
Is there a way to avoid stating dhcpd if CARP state is BACKUP?

Another question. The Host with lower advskew does not switch back to MASTER after coming back online again. I expect this, but it
does not work.

This is the config from the Master, on Backup the advskew is 200

ifconfig_vmx0="inet xx.154.xx.7 netmask 255.255.255.224"
ifconfig_vmx0_alias0="inet vhid 66 pass 2cd112ce6a18c493e63e7dd45234476e alias xx.154.xx.6/27 advskew 10"

 

[SirDice]

But on the rebooted host, CARP has still status BACKUP and dhcpd gets startet.

Is there a way to avoid stating dhcpd if CARP state is BACKUP?

Don't put dhcpd_enable="YES" in rc.conf. Rely on the CARP status via devd(8) to start the service (use service dhcpd onestart to start it so it doesn't need the *_enable="YES")

Another question. The Host with lower advskew does not switch back to MASTER after coming back online again. I expect this, but it
does not work.

     net.inet.carp.preempt                 Allow virtual hosts to preempt each
                                           other.  When enabled, a vhid in a
                                           backup state would preempt a master
                                           that is announcing itself with a
                                           lower advskew.  Disabled by
                                           default.

I personally like to keep this off and switch back manually. There's a risk of the state going back and forth between MASTER and BACKUP automagically. I like to keep control when to switch back.

 

[sko]

Usually dhcpd is designed to run in a master/slave configuration on distinct IPs, so no need for CARP.
IIRC dhcpd even refuses to start if the listen IP isn't actively available on any interface, so you'd have to start it manually or via some script after CARP state changes to MASTER - but this will lead to a split-brain configuration of the two dhcpd and possibly will cause duplicate IPs on clients.
I'd just stick with distinct IPs for each dhcpd - personally I usually use .4 and .5 in all networks for DHCP while .1 being the default router (=redundant via CARP) and 2&3 the primary and secondary DNS.

 

[SirDice]

IIRC dhcpd even refuses to start if the listen IP isn't actively available on any interface

The "problem" with CARP is that the IP address is available. You just can't send or receive anything on it if it's in the BACKUP state.

But yeah, for DHCP I would probably just use the individual IP addresses, not the VIP one, and set up failover on DHCP itself.

I'd just stick with distinct IPs for each dhcpd - personally I usually use .4 and .5 in all networks for DHCP while .1 being the default router (=redundant via CARP) and 2&3 the primary and secondary DNS.

Use the CARP address for DNS too, resolv.conf(5) allows for three DNS servers. The 'problem' with using individual IP addresses for DNS is that the request to the primary DNS has to time-out before the secondary is questioned. This causes a noticeable (and annoying) delay with every connection on clients.

 

[sko]

Use the CARP address for DNS too, resolv.conf(5) allows for three DNS servers. The 'problem' with using individual IP addresses for DNS is that the request to the primary DNS has to time-out before the secondary is questioned. This causes a noticeable (and annoying) delay with every connection on clients.

True, there need to be a few timeouts until clients finally figure out to just ask the secondary. I actually never thought about using a (third) CARP-ed IP for DNS. Given that I'm using a distinct management-interface on the LAN DNS servers for upstream and syncing to our master nameserver, I could even use that single CARP IP as the only DNS for clients.

 

[jarlskona]

Usually dhcpd is designed to run in a master/slave configuration on distinct IPs, so no need for CARP.
IIRC dhcpd even refuses to start if the listen IP isn't actively available on any interface, so you'd have to start it manually or via some script after CARP state changes to MASTER - but this will lead to a split-brain configuration of the two dhcpd and possibly will cause duplicate IPs on clients.
I'd just stick with distinct IPs for each dhcpd - personally I usually use .4 and .5 in all networks for DHCP while .1 being the default router (=redundant via CARP) and 2&3 the primary and secondary DNS.

Dear sko,
thank you for your reply. The setup is only for a few ip addresses. The split brain situation i had not taken into account. Thanks for that hint.

 

[jarlskona]

Don't put dhcpd_enable="YES" in rc.conf. Rely on the CARP status via devd(8) to start the service (use service dhcpd onestart to start it so it doesn't need the *_enable="YES")

     net.inet.carp.preempt                 Allow virtual hosts to preempt each
                                           other.  When enabled, a vhid in a
                                           backup state would preempt a master
                                           that is announcing itself with a
                                           lower advskew.  Disabled by
                                           default.

I personally like to keep this off and switch back manually. There's a risk of the state going back and forth between MASTER and BACKUP automagically. I like to keep control when to switch back.

Dear SirDice,
in /et/sysctl.conf i have set net.inet.carp.preempt=1. The "onestart" is a clever idea. Thanks for sharing it.

 

[jarlskona]

after CARP state changes to MASTER - but this will lead to a split-brain configuration of the two dhcpd and possibly will cause duplicate IPs on clients.

Hi sko,
another idea/question. The two hosts are running on a VMWare Environment. Could i add an iSCSI device and use multipathing?
Only MASTER should mount the file system.

 

[SirDice]

The "onestart" is a clever idea. Thanks for sharing it.

Another idea is to execute sysrc dhcpd_enable="YES" if the interface is MASTER and execute sysrc -x dhcpd_enable if set to BACKUP. I've used the sysrc(8) trick to enable/disable the periodic script (in /etc/periodic.conf) for Letsencrypt certificates. It should only run if the host is set to MASTER and be disabled on the BACKUP. A deploy script will rsync the certificates to the other node if something gets updated.